初步实现数据加密、权限管理、日志审计等功能

2026-02-02 10:09:28 +08:00
parent b6b37a453b
commit 807e634318
27 changed files with 3787 additions and 59 deletions
--- a/app/core/encryption.py
+++ b/app/core/encryption.py
@@ -1,9 +1,87 @@
-# Placeholder for encryption logic
+from cryptography.fernet import Fernet
+from typing import Optional
+import base64
+import os
+
 class Encryptor:
+    """
+    使用 Fernet (对称加密) 实现数据加密/解密
+    适用于加密敏感配置、用户数据等
+    """
+    
+    def __init__(self, key: Optional[bytes] = None):
+        """
+        初始化加密器
+        
+        Args:
+            key: 加密密钥，如果为 None 则从环境变量读取
+        """
+        if key is None:
+            key_str = os.getenv("ENCRYPTION_KEY")
+            if not key_str:
+                raise ValueError(
+                    "ENCRYPTION_KEY not found in environment variables. "
+                    "Generate one using: Encryptor.generate_key()"
+                )
+            key = key_str.encode()
+        
+        self.fernet = Fernet(key)
+    
    def encrypt(self, data: str) -> str:
-        return data # Implement actual encryption
-
+        """
+        加密字符串
+        
+        Args:
+            data: 待加密的明文字符串
+            
+        Returns:
+            Base64 编码的加密字符串
+        """
+        if not data:
+            return data
+        
+        encrypted_bytes = self.fernet.encrypt(data.encode())
+        return encrypted_bytes.decode()
+    
    def decrypt(self, data: str) -> str:
-        return data # Implement actual decryption
+        """
+        解密字符串
+        
+        Args:
+            data: Base64 编码的加密字符串
+            
+        Returns:
+            解密后的明文字符串
+        """
+        if not data:
+            return data
+        
+        decrypted_bytes = self.fernet.decrypt(data.encode())
+        return decrypted_bytes.decode()
+    
+    @staticmethod
+    def generate_key() -> str:
+        """
+        生成新的 Fernet 加密密钥
+        
+        Returns:
+            Base64 编码的密钥字符串
+        """
+        key = Fernet.generate_key()
+        return key.decode()

-encryptor = Encryptor()
+# 全局加密器实例（懒加载）
+_encryptor: Optional[Encryptor] = None
+
+def get_encryptor() -> Encryptor:
+    """获取全局加密器实例"""
+    global _encryptor
+    if _encryptor is None:
+        _encryptor = Encryptor()
+    return _encryptor
+
+# 向后兼容（延迟加载）
+def __getattr__(name):
+    if name == "encryptor":
+        return get_encryptor()
+    raise AttributeError(f"module '{__name__}' has no attribute '{name}'")